CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9813 vulnerabilities reference this CWE, most recent first.
GHSA-MG3P-X95M-PCQH
Vulnerability from github – Published: 2022-05-24 21:59 – Updated: 2022-10-12 19:00Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010.20098 and earlier, 2017.011.30127 and earlier version, and 2015.006.30482 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
{
"affected": [],
"aliases": [
"CVE-2019-7088"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-23T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010.20098 and earlier, 2017.011.30127 and earlier version, and 2015.006.30482 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .",
"id": "GHSA-mg3p-x95m-pcqh",
"modified": "2022-10-12T19:00:37Z",
"published": "2022-05-24T21:59:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7088"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-17.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107809"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MG3Q-2G68-QP7W
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2025-04-12 13:01Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
{
"affected": [],
"aliases": [
"CVE-2016-3189"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-06-30T17:59:00Z",
"severity": "MODERATE"
},
"details": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.",
"id": "GHSA-mg3q-2g68-qp7w",
"modified": "2025-04-12T13:01:33Z",
"published": "2022-05-13T01:07:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3189"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4038-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4038-1"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201708-08"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Jul/22"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Aug/4"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rffebcbeaace56ff1fed7916700d2f414ca1366386fb1293e99b3e31e@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rffebcbeaace56ff1fed7916700d2f414ca1366386fb1293e99b3e31e%40%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/redf17d8ad16140733b25ca402ae825d6dfa9b85f73d9fb3fd0c75d73@%3Cdev.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/redf17d8ad16140733b25ca402ae825d6dfa9b85f73d9fb3fd0c75d73%40%3Cdev.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6e3962fc9f6a79851f70cffdec5759065969cec9c6708b964464b301@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6e3962fc9f6a79851f70cffdec5759065969cec9c6708b964464b301%40%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5f80cf3ade5bb73410643e885fe6b7bf9f0222daf3533e42c7ae240c@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5f80cf3ade5bb73410643e885fe6b7bf9f0222daf3533e42c7ae240c%40%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5f7ac2bd631ccb12ced65b71ff11f94e76d05b22000795e4a7b61203@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5f7ac2bd631ccb12ced65b71ff11f94e76d05b22000795e4a7b61203%40%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4ad2ea01354e394b7fa8c78a184b7e1634d51be9bc0e9e4d7e6c9305@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4ad2ea01354e394b7fa8c78a184b7e1634d51be9bc0e9e4d7e6c9305%40%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r481cda41fefb03e04c51484ed14421d812e5ce9e0972edff10f37260@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r481cda41fefb03e04c51484ed14421d812e5ce9e0972edff10f37260%40%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1dc4c9b3bd559301bdb1557245f78b8910146efb1ee534b774c5f6af@%3Cdev.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1dc4c9b3bd559301bdb1557245f78b8910146efb1ee534b774c5f6af%40%3Cdev.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r19b4a70ac52093115fd71d773a7a4f579599e6275a13cfcf6252c3e3@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r19b4a70ac52093115fd71d773a7a4f579599e6275a13cfcf6252c3e3%40%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1319648"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/20/1"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91297"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036132"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MG3R-FX4Q-5FG2
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:06dpic 2021.04.10 has a use-after-free in thedeletestringbox() function in dpic.y. A different vulnerablility than CVE-2021-32421.
{
"affected": [],
"aliases": [
"CVE-2021-33390"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-22T19:16:20Z",
"severity": "CRITICAL"
},
"details": "dpic 2021.04.10 has a use-after-free in thedeletestringbox() function in dpic.y. A different vulnerablility than CVE-2021-32421.",
"id": "GHSA-mg3r-fx4q-5fg2",
"modified": "2024-04-04T07:06:36Z",
"published": "2023-08-22T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33390"
},
{
"type": "WEB",
"url": "https://gitlab.com/aplevich/dpic/-/issues/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MG5G-2XMF-9P22
Vulnerability from github – Published: 2022-05-14 00:52 – Updated: 2022-05-14 00:52Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008.20080 and earlier, 2019.008.20081 and earlier, 2017.011.30106 and earlier version, 2017.011.30105 and earlier version, 2015.006.30457 and earlier, and 2015.006.30456 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2018-19698"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-18T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008.20080 and earlier, 2019.008.20081 and earlier, 2017.011.30106 and earlier version, 2017.011.30105 and earlier version, 2015.006.30457 and earlier, and 2015.006.30456 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.",
"id": "GHSA-mg5g-2xmf-9p22",
"modified": "2022-05-14T00:52:30Z",
"published": "2022-05-14T00:52:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19698"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb18-41.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106164"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MG62-WJ4P-3WQ4
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-30 12:30In the Linux kernel, the following vulnerability has been resolved:
vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the vdev->cdx_irqs array based on its value, but provides no serialization against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race such that one observes config_msi as set while another clears it and frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free of the cdx_irqs array.
Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in vfio_cdx_set_msi_trigger(), which is the single chokepoint through which all updates to config_msi, cdx_irqs, and msi_count flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of config_msi atomic with the subsequent enable, disable, or trigger operations.
Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part of this change: the optimization it provided is redundant with the !config_msi early-return inside vfio_cdx_msi_disable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect.
{
"affected": [],
"aliases": [
"CVE-2026-46036"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:22Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex\n\nvfio_cdx_set_msi_trigger() reads vdev-\u003econfig_msi and operates on the\nvdev-\u003ecdx_irqs array based on its value, but provides no serialization\nagainst concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race\nsuch that one observes config_msi as set while another clears it and\nfrees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free\nof the cdx_irqs array.\n\nAdd a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in\nvfio_cdx_set_msi_trigger(), which is the single chokepoint through\nwhich all updates to config_msi, cdx_irqs, and msi_count flow, covering\nboth the ioctl path and the close-device cleanup path. This keeps the\ntest of config_msi atomic with the subsequent enable, disable, or\ntrigger operations.\n\nDrop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part\nof this change: the optimization it provided is redundant with the\n!config_msi early-return inside vfio_cdx_msi_disable(), and leaving the\ntest in place would be an unsynchronized read of state the new lock is\nmeant to protect.",
"id": "GHSA-mg62-wj4p-3wq4",
"modified": "2026-05-30T12:30:24Z",
"published": "2026-05-27T15:33:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46036"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/670e8864b1a218d72f08db40d0103adf38fa1d9b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7530f34ec0ca1438d45a75dcb43183a1cc92eced"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b436ade16cc81095d79b79f8efa3af0a4f5c5a2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ddf96e23c366c566283fce8377928851fa7f5e81"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MG6P-QRWV-X883
Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2022-02-26 00:00This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 3DS files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15386.
{
"affected": [],
"aliases": [
"CVE-2021-46592"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-18T20:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 3DS files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15386.",
"id": "GHSA-mg6p-qrwv-x883",
"modified": "2022-02-26T00:00:53Z",
"published": "2022-02-19T00:01:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46592"
},
{
"type": "WEB",
"url": "https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0004"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-179"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MG6X-HXXW-4X59
Vulnerability from github – Published: 2022-05-14 03:26 – Updated: 2022-05-14 03:26In bta_pan_data_buf_ind_cback of bta_pan_act.cc there is a use after free that can result in an out of bounds read of memory allocated via malloc. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-67110692.
{
"affected": [],
"aliases": [
"CVE-2017-13257"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-04T17:29:00Z",
"severity": "MODERATE"
},
"details": "In bta_pan_data_buf_ind_cback of bta_pan_act.cc there is a use after free that can result in an out of bounds read of memory allocated via malloc. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-67110692.",
"id": "GHSA-mg6x-hxxw-4x59",
"modified": "2022-05-14T03:26:44Z",
"published": "2022-05-14T03:26:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13257"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-03-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103253"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MG7C-MFQW-JG72
Vulnerability from github – Published: 2025-04-16 15:34 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
md: fix mddev uaf while iterating all_mddevs list
While iterating all_mddevs list from md_notify_reboot() and md_exit(), list_for_each_entry_safe is used, and this can race with deletint the next mddev, causing UAF:
t1: spin_lock //list_for_each_entry_safe(mddev, n, ...) mddev_get(mddev1) // assume mddev2 is the next entry spin_unlock t2: //remove mddev2 ... mddev_free spin_lock list_del spin_unlock kfree(mddev2) mddev_put(mddev1) spin_lock //continue dereference mddev2->all_mddevs
The old helper for_each_mddev() actually grab the reference of mddev2 while holding the lock, to prevent from being freed. This problem can be fixed the same way, however, the code will be complex.
Hence switch to use list_for_each_entry, in this case mddev_put() can free the mddev1 and it's not safe as well. Refer to md_seq_show(), also factor out a helper mddev_put_locked() to fix this problem.
{
"affected": [],
"aliases": [
"CVE-2025-22126"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-16T15:16:06Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix mddev uaf while iterating all_mddevs list\n\nWhile iterating all_mddevs list from md_notify_reboot() and md_exit(),\nlist_for_each_entry_safe is used, and this can race with deletint the\nnext mddev, causing UAF:\n\nt1:\nspin_lock\n//list_for_each_entry_safe(mddev, n, ...)\n mddev_get(mddev1)\n // assume mddev2 is the next entry\n spin_unlock\n t2:\n //remove mddev2\n ...\n mddev_free\n spin_lock\n list_del\n spin_unlock\n kfree(mddev2)\n mddev_put(mddev1)\n spin_lock\n //continue dereference mddev2-\u003eall_mddevs\n\nThe old helper for_each_mddev() actually grab the reference of mddev2\nwhile holding the lock, to prevent from being freed. This problem can be\nfixed the same way, however, the code will be complex.\n\nHence switch to use list_for_each_entry, in this case mddev_put() can free\nthe mddev1 and it\u0027s not safe as well. Refer to md_seq_show(), also factor\nout a helper mddev_put_locked() to fix this problem.",
"id": "GHSA-mg7c-mfqw-jg72",
"modified": "2025-11-03T21:33:39Z",
"published": "2025-04-16T15:34:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22126"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5462544ccbad3fc938a71b01fa5bd3a0dc2b750a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8542870237c3a48ff049b6c5df5f50c8728284fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca9f84de76723b358dfc0606668efdca54afc2e5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d69a23d8e925f8052d657652a6875ec2712c7e33"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e2a9f73ee408a460f4c9dfe03b4741d6b11652b8"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MG7H-Q7HW-M596
Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-05-07 06:31In the Linux kernel, the following vulnerability has been resolved:
mm: call ->free_folio() directly in folio_unmap_invalidate()
We can only call filemap_free_folio() if we have a reference to (or hold a lock on) the mapping. Otherwise, we've already removed the folio from the mapping so it no longer pins the mapping and the mapping can be removed, causing a use-after-free when accessing mapping->a_ops.
Follow the same pattern as __remove_mapping() and load the free_folio function pointer before dropping the lock on the mapping. That lets us make filemap_free_folio() static as this was the only caller outside filemap.c.
{
"affected": [],
"aliases": [
"CVE-2026-31589"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-24T15:16:34Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: call -\u003efree_folio() directly in folio_unmap_invalidate()\n\nWe can only call filemap_free_folio() if we have a reference to (or hold a\nlock on) the mapping. Otherwise, we\u0027ve already removed the folio from the\nmapping so it no longer pins the mapping and the mapping can be removed,\ncausing a use-after-free when accessing mapping-\u003ea_ops.\n\nFollow the same pattern as __remove_mapping() and load the free_folio\nfunction pointer before dropping the lock on the mapping. That lets us\nmake filemap_free_folio() static as this was the only caller outside\nfilemap.c.",
"id": "GHSA-mg7h-q7hw-m596",
"modified": "2026-05-07T06:31:40Z",
"published": "2026-04-24T15:32:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31589"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/615d9bb2ccad42f9e21d837431e401db2e471195"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b667df39d98a7a24be7c2a40ff0863dac1ad2cd7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c330e65ea59c4805d6ab6757c4ddfe8c63acef31"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/efc52947247a21bbf79059539bbbd40f4ea76f00"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MG8F-XFFH-JHX4
Vulnerability from github – Published: 2022-05-14 01:29 – Updated: 2022-05-14 01:29A double-eviction in the Incognito mode cache that lead to a user-after-free in Networking Disk Cache in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2018-6086"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-04T17:29:00Z",
"severity": "HIGH"
},
"details": "A double-eviction in the Incognito mode cache that lead to a user-after-free in Networking Disk Cache in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code via a crafted HTML page.",
"id": "GHSA-mg8f-xffh-jhx4",
"modified": "2022-05-14T01:29:44Z",
"published": "2022-05-14T01:29:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6086"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1195"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/827492"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201804-22"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4182"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103917"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.